I just spent the last several days reading the lengthy essay "Ying and Yang of Security" which explores the origins of security on the personal computer and explains why the current models are outdated. It seems to argue that security systems designed to keep the system safe are relics of the days of mainframes when the system was more important than the user, but for a personal computer the user is more important than the system.

I tried to be objective, but then I got to: Let's say you have something like Apache running as a web server, serving out lots of virtual websites. 'Virtual Hosts' are what allow you to have ungodly amounts of sites on one server, and as far as the system is concerned are the equivalent of users. This is so that, ideally, person x can't FTP into their site and then have access to person y's files... that sort of thing.

But Apache needs to have access to them all, as well as higher-level files that no other users can get to to do things like write to its log files. In order to be able to do this, Apache has to have escalated privledges, which is about the same as saying Apache is running as the equivalent of 'root'. Apache is just one of many examples you could give, but it poses some real problems. Namely, if you are able to exploit Apache, the system is your playground, because of what Apache is able to access.

I'm runnng Apache as 'www' in a chroot jail, and that it without any effort on my part, OpenBSD ships that way. Furthermore, 'www' has a lot fewer privilidges that 'root', so the premise that owning Apache will comprimise the 'system' is hardly true; you are going to have to find a way to escalate your prividges, and /bin/noshell isn't going to help you much. If you want to make sure users of different sites don't endanger other users, I suppose you can run multiple instances of Apache under users 'www01', 'www02', etc. Next, put Squid, running as '_squid', on port 80 and redirect all requests to the correct instance of Apache. So, I agree that 'virtual sites' can be the equivalent as 'users', but that is the key to locking down each site, not an barrier to security. You will have to exploit squid just to get to Apache, and then you will find that owning site 1 doesn't help you get to site 2. The key to all of this was the *nix model of priviledge.